Advertising

What exactly do you do with the variables you set inside the if body?
Are they always the same? Where does the data originate from?
I try to understand the scenario better, because I vaguely think I may
be able to find a much simpler solution which would require possible
minimal code changes. But I can't express myself clearer at the
moment, it's more a gut feeling.
It would be good if you could post some *concrete* example of three or
four of the if blocks, that would definitely aid understanding.

he gave a couple of examples a while back.
An example would be populating one variable from several possible sources,
depending on the log type. In some cases it may require combining multiple
variables so it can't be solved in the parser

These "possible sources" and "log type" and "multiple variables" are
exactly what I would like to clarify. Depending on the fine details,
there may be a simple solution, maybe not. At least something to think
about. I am thinking about someting along the lines of e.g. imfile
input with an extra metadata parameter, e.g.
metadata=["!var=foo", "!bar=another text"]

while that would be very useful, it's not this situation. In this case he is
able to deal with this by setting tag to a structured value and then parse it
later rather than setting multiple metadata values.

In this case, we're working much later in the process, where it doesn't
matter that the source was from an imfile. It's working with the data after
it's been parsed by mmnormalize and then cleaning up the things where
different logs still result in non-normalized data.

This could be because the source came in with names already (json, cef,
name-value, etc), or because you need to take multiple fields in the log and
combine them.

if the liblognorm ruleset ammend=: line could assign variable contents, not just
constant strings, it would address 90% of the issues.

David Lang

But for me it is very hard to really think about it without a concrete
case. Looking at an abstract level, things seem easy, but the rest of
the conversation indicates to me that the abstraction may not
necessarily be correct, so I would like to see the dirty *real life,
real code" that shall be used.

along the lines of:
if type = 1 then
set var = $foo
else if type = 2 then
set var = $bar
else if type = 3 then
set var = $baz + $bar
another thing that can be done in this sort of structure is to save
different logs in different places (type 1 & 2 go in dir A, type 3 goes in
dir B)
or writing the different logs using different templates.
If you look at the rules that I had, you see that I did a lot of that type
of thing. But I just did it as if statements